Re: Bug#540215: Introduce dh_checksums

To: debian-devel@lists.debian.org, debian-dpkg@lists.debian.org
Cc: Goswin von Brederlow <goswin-v-b@web.de>, Wouter Verhelst <wouter@debian.org>
Subject: Re: Bug#540215: Introduce dh_checksums
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 16 Apr 2010 08:08:13 +0200
Message-id: <20100416060813.GA12604@rivendell>
Mail-followup-to: debian-devel@lists.debian.org, debian-dpkg@lists.debian.org, Goswin von Brederlow <goswin-v-b@web.de>, Wouter Verhelst <wouter@debian.org>
In-reply-to: <20100416010251.GA25023@sbs288.lan>
References: <1268956013.11872.58.camel@solid.paris.klabs.be> <871vfhchnc.fsf@windlord.stanford.edu> <20100320004007.GC1000@nn.nn> <87eijfstdj.fsf@windlord.stanford.edu> <20100320122752.GD1000@nn.nn> <20100323101927.GR21254@celtic.nixsys.be> <20100415124407.GA3084@rivendell> <871vegstfg.fsf@frosties.localdomain> <20100415150344.GA8065@rivendell> <20100416010251.GA25023@sbs288.lan>

On Fri, 16 Apr 2010, Harald Braumann wrote:
> On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote:
> 
> > Even if it creates a checksum file, someone could always hand-edit the
> > package to add files not listed in the checksum files and we need to
> > decide whether that's something that needs to be catched and if yes by
> > whom and at what point.
> 
> Do you mean a maintainer, who hand-edits a package after it was
> built, or do you mean an adversery who has evil intentions? If the

The latter.

> former, then this should just be forbidden. If the latter, than this
> can be solved by package signatures.

Which one? We are discussing something that is a signature of the (content
of the) package. And there's the signature on Release/Package which can
authenticate the .deb in its entirety.

I'm discussing the case where the signature of the "checksums" file is valid
but that checksums file does not list all the files present in
data.tar.gz or control.tar.gz.

Cheers,
-- 
Raphaël Hertzog

Like what I do? Sponsor me: http://ouaza.com/wp/2010/01/05/5-years-of-freexian/
My Debian goals: http://ouaza.com/wp/2010/01/09/debian-related-goals-for-2010/

Reply to:

Follow-Ups:
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>
- Re: Bug#540215: Introduce dh_checksums
  - From: Goswin von Brederlow <goswin-v-b@web.de>

References:
- Re: Bug#540215: Introduce dh_checksums
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: Bug#540215: Introduce dh_checksums
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>

Prev by Date: Re: Bug#540215: Introduce dh_checksums
Next by Date: Re: Review wanted for conffile handling functions in dpkg
Previous by thread: Re: Bug#540215: Introduce dh_checksums
Next by thread: Re: Bug#540215: Introduce dh_checksums
Index(es):
- Date
- Thread